Emilio Pozuelo Monfort pushed to branch debian-bullseye at X Strike Force / xserver / xorg-server
Commits: b8753e5b by Emilio Pozuelo Monfort at 2022-11-10T13:18:48+01:00 Security update * xkb: proof GetCountedString against request length attacks (CVE-2022-3550) * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551) - - - - - 4126d4f4 by Emilio Pozuelo Monfort at 2022-11-11T13:38:16+01:00 Release to bullseye-security - - - - - 4 changed files: - debian/changelog - + debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch - + debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,10 @@ +xorg-server (2:1.20.11-1+deb11u3) bullseye-security; urgency=medium + + * xkb: proof GetCountedString against request length attacks (CVE-2022-3550) + * xkb: fix some possible memleaks in XkbGetKbdByName (CVE-2022-3551) + + -- Emilio Pozuelo Monfort <[email protected]> Fri, 11 Nov 2022 13:37:52 +0100 + xorg-server (2:1.20.11-1+deb11u2) bullseye-security; urgency=medium * xkb: add request length validation for XkbSetGeometry (CVE-2022-2319) ===================================== debian/patches/11_xkb-proof-GetCountedString-against-request-length-at.patch ===================================== @@ -0,0 +1,34 @@ +From 11beef0b7f1ed290348e45618e5fa0d2bffcb72e Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <[email protected]> +Date: Tue, 5 Jul 2022 12:06:20 +1000 +Subject: [PATCH] xkb: proof GetCountedString against request length attacks + +GetCountedString did a check for the whole string to be within the +request buffer but not for the initial 2 bytes that contain the length +field. A swapped client could send a malformed request to trigger a +swaps() on those bytes, writing into random memory. + +Signed-off-by: Peter Hutterer <[email protected]> +--- + xkb/xkb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index f42f59ef3..1841cff26 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5137,6 +5137,11 @@ _GetCountedString(char **wire_inout, ClientPtr client, char **str) + CARD16 len; + + wire = *wire_inout; ++ ++ if (client->req_len < ++ bytes_to_int32(wire + 2 - (char *) client->requestBuffer)) ++ return BadValue; ++ + len = *(CARD16 *) wire; + if (client->swapped) { + swaps(&len); +-- +2.30.2 + ===================================== debian/patches/12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch ===================================== @@ -0,0 +1,59 @@ +From 18f91b950e22c2a342a4fbc55e9ddf7534a707d2 Mon Sep 17 00:00:00 2001 +From: Peter Hutterer <[email protected]> +Date: Wed, 13 Jul 2022 11:23:09 +1000 +Subject: [PATCH] xkb: fix some possible memleaks in XkbGetKbdByName + +GetComponentByName returns an allocated string, so let's free that if we +fail somewhere. + +Signed-off-by: Peter Hutterer <[email protected]> +--- + xkb/xkb.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/xkb/xkb.c b/xkb/xkb.c +index 4692895db..b79a269e3 100644 +--- a/xkb/xkb.c ++++ b/xkb/xkb.c +@@ -5935,18 +5935,32 @@ ProcXkbGetKbdByName(ClientPtr client) + xkb = dev->key->xkbInfo->desc; + status = Success; + str = (unsigned char *) &stuff[1]; +- if (GetComponentSpec(&str, TRUE, &status)) /* keymap, unsupported */ +- return BadMatch; ++ { ++ char *keymap = GetComponentSpec(&str, TRUE, &status); /* keymap, unsupported */ ++ if (keymap) { ++ free(keymap); ++ return BadMatch; ++ } ++ } + names.keycodes = GetComponentSpec(&str, TRUE, &status); + names.types = GetComponentSpec(&str, TRUE, &status); + names.compat = GetComponentSpec(&str, TRUE, &status); + names.symbols = GetComponentSpec(&str, TRUE, &status); + names.geometry = GetComponentSpec(&str, TRUE, &status); +- if (status != Success) ++ if (status == Success) { ++ len = str - ((unsigned char *) stuff); ++ if ((XkbPaddedSize(len) / 4) != stuff->length) ++ status = BadLength; ++ } ++ ++ if (status != Success) { ++ free(names.keycodes); ++ free(names.types); ++ free(names.compat); ++ free(names.symbols); ++ free(names.geometry); + return status; +- len = str - ((unsigned char *) stuff); +- if ((XkbPaddedSize(len) / 4) != stuff->length) +- return BadLength; ++ } + + CHK_MASK_LEGAL(0x01, stuff->want, XkbGBN_AllComponentsMask); + CHK_MASK_LEGAL(0x02, stuff->need, XkbGBN_AllComponentsMask); +-- +2.30.2 + ===================================== debian/patches/series ===================================== @@ -10,3 +10,5 @@ 08_xkb-switch-to-array-index-loops-to-moving-pointers.patch 09_xkb-add-request-length-validation-for-XkbSetGeometry.patch 10_xkb-swap-XkbSetDeviceInfo-and-XkbSetDeviceInfoCheck.patch +11_xkb-proof-GetCountedString-against-request-length-at.patch +12_xkb-fix-some-possible-memleaks-in-XkbGetKbdByName.patch View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/4ce1d1ce1d65ada71ee6e15e813d78f705113d2f...4126d4f495aeee81a71f745e213effb4113341cc -- View it on GitLab: https://salsa.debian.org/xorg-team/xserver/xorg-server/-/compare/4ce1d1ce1d65ada71ee6e15e813d78f705113d2f...4126d4f495aeee81a71f745e213effb4113341cc You're receiving this email because of your account on salsa.debian.org.
